Описание
Traefik's X-Forwarded-Prefix Header still allows for Open Redirect
Impact
There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.14
- https://github.com/traefik/traefik/releases/tag/v3.2.1
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
Original Description
### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.Details
The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:
PoC
An attacker can bypass this by sending the following payload:
or similar:
Impact
Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable.
Пакеты
github.com/traefik/traefik/v2
< 2.11.14
2.11.14
github.com/traefik/traefik/v3
< 3.2.1
3.2.1
Связанные уязвимости
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Traefik (pronounced traffic) is an HTTP reverse proxy and load balance ...